|The Health Record Review
by Jeff Rowe, Editor
Posted on Mon, Oct 29, 2012 - 03:04 pm
The term “cyber-crime” has a real dramatic ring to it, and, no doubt, there are specific types of cyber-crime that have far-reaching effects.
But a newly released series of industry-by-industry snapshots of cyber-crime demonstrates once again that a lot of healthcare-related cyber-crime could be easily prevented.
The document in question is the "Verizon 2012 and 2011 Data Breach Investigations Reports," and it consists of “snapshots” of a number of industries, including financial services, healthcare, retail and hospitality.
What stands out about the healthcare findings is the straightforward, almost predictable patterns of activity on the part of would-be cyber thieves.
As the Executive Summary puts it, “We see repeated throughout healthcare breaches: 1) attackers targeting point of sale (POS) systems and other assets in the payment chain, or 2) the physical theft and loss of devices (from which we may assume the value of the hardware is the intent). While protecting medical devices and records is a critical part of operating in the healthcare industry, organizations cannot lose sight of other assets being targeted by attackers."
Some of the reports other healthcare findings include:
· Most of the breaches within the health care sector fell into the small to medium business category (one to 100 employees), and outpatient care facilities such as medical and dental offices comprised the bulk of these.
· Attacks were almost entirely the work of financially motivated organized criminal groups, which typically attack smaller, low-risk targets to obtain personal and payment data for various fraud schemes.
· Most attacks involved hacking and malware and often focused on point of sale (POS) systems. However, the health care industry also needs to protect medical devices and electronic health records.
Perhaps most importantly:
· The majority of breaches can be prevented with some small and relatively easy steps, including change in administrative passwords on all POS systems; implementing a firewall; avoiding using POS systems to browse the Web; and making certain the POS is a PCI DSS (Payment Card Industry Data Security Standard) compliant application.
The full report can be found here.
Photo by bclinesmith via Creative Commons